Drupal.org

Come for the software, stay for the community
Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.

Drupal 8.3.7 is a maintenance release which contain fixes for security vulnerabilities.
Download Drupal 8.3.7
Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.
Advisory ID: DRUPAL-SA-CORE-2017-004
Project: Drupal core
Version: 8.x
Date: 2017-Aug-16
Security risk: 15/25 ( Critical) AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Multiple vulnerabilities
Description
Views - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6923
When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.
It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
REST API can bypass comment approval - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6924
When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.
This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.
Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical - Drupal 8 - CVE-2017-6925
There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.
Versions affected
Drupal core 8.x versions prior to 8.3.7
Solution
Install the latest version:
If you use Drupal 8.x, upgrade to Drupal core 8.3.7
Drupal 7 core is not affected, however, Drupal 7 Views is: see Views - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068
Also see the Drupal core project page.
Reported by
Views - Access Bypass
Maxim Podorov
REST API can bypass comment approval - Access Bypass
Arshad
Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass
Miles Worthington
Fixed by
Views - Access Bypass
Klaus Purer
Daniel Wehner
Michael Hess of the Drupal Security Team
Len Swaneveld
Wim Leers
REST API can bypass comment approval - Access Bypass
Daniel Wehner
Arshad
Lee Rowlands of the Drupal Security Team
Wim Leers
Sascha Grossenbacher
Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass
Andrei Mateescu
Peter Wolanin of the Drupal Security Team
Matthew Donadio
xjm of the Drupal Security Team
Sascha Grossenbacher
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
[...]

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
Drupal.org updates
Better Distribution packaging
Distributions are a cornerstone of Drupal, giving site-builders a head start by packaging together proven modules and themes from contrib to build a Drupal site to purpose. In July we spent some time improving the functionality for packaging distributions on Drupal.org, by updating Drupal.org's packaging system to use Drush 8. This resolves several issues:
Distributions may now use features from version 8 of Drush.
Package manifest details are now properly displayed for all distributions.
Distributions no longer need to nest contrib projects.
We hope that these changes will help distribution maintainers
reCAPTCHA
One of the key tools we use to prevent spam on Drupal.org is Mollom, which will reach end of life next year. To replace it, we've implemented reCAPTCHA on Drupal.org, and updated our privacy policy accordingly. We have not yet disabled Mollom, because Mollom is a content analysis tool in addition to a captcha tool. Because reCAPTCHA does not duplicate that content analysis functionality we'll be monitoring spam attack patterns on Drupal.org to see whether reCAPTCHA will be a sufficient as a standalone replacement.
Easier addition of new documentation guides and pages
It's hard to believe that the new documentation system has been in use for almost a year. We've made a number of improvements after the initial release to improve usability for both contributors and maintainers of documentation, and to encourage project maintainers to migrate their docs. One piece of feedback we've heard several times is that the 'add content' links the sidebar of a documentation guide were too difficult to find. To make it easier for documentation contributors to add new sub-guides and pages, we've added a new page link to the 'Edit' menu of documentation guides.
Webmasters and documentation moderators can administer all docs
Finding maintainers for the over 12,000 pages of documentation on Drupal.org continues to be a challenge, and so we've given all users with the Webmaster and Documentation Moderator role the ability to administer any documentation guide. This will expand the pool of users who can help to manage documentation and manage documentation maintainers. Good documentation for a project with Drupal's scale is a community-driven effort and we're incredibly thankful for all the volunteers who contribute.
Any confirmed user may claim unmaintained documentation guides
We also now allow any unmaintained guide to be claimed by any confirmed user—automatically adding them as the maintainer for that guide. This should make it much easier for new contributors to take up the mantle of maintaining sections of documentation on Drupal.org.
Learn more about maintaining documentation by reading our content guidelines.
For evaluators
Updated industry page call to action
The Drupal.org industry pages are a new experiment for the Drupal Association this year, with a goal of reaching out to Drupal evaluators in specific markets. The success stories we showcase on these pages demonstrate the power of Drupal in these industries, but we also want these pages to be an opportunity to connect evaluators with experts who can help them achieve their goals with Drupal. To enhance our efforts to connect Drupal evaluators to experts in their industry - we've added an additional call to action at the top of the industry page to encourage evaluators to connect with experts.
Front page case study promotion for supporting partners and top contributors
In July we laid the groundwork for promoting a second row of case studies on the Drupal.org home page. The second row will feature case studies from supporting partners and top Drupal contributors. These will not replace the existing row of case studies that are featured through the community process, but will supplement these case studies with additional stories fro[...]

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
Drupal.org updates
Healthcare industry page launched
One of our major goals this year is to highlight the power of Drupal in key industries. The Drupal.org industry pages highlight the story of building a custom-tailored solution for each industry using third-party integrations, expert hosting, or even purpose built distributions for the industry. Each page also highlights case studies which show demonstrated success stories using Drupal in each industry. In June we've launched our latest industry page, highlighting the Healthcare industry.
Semantic Labels for Development Branches
With a six month release cycle for Drupal core, the environment that project maintainers should test their code against will change fairly frequently. To make it easier for maintainers to keep up to date with testing - we've introduced semantic labels for the core branches. Maintainers can now configure tests against Default — the current development branch of Drupal, Stable — the most recent release of core, and Supported — the current patch/bug-fix branch.
These semantic labels should make it easier for project maintainers to manage testing. We hope to expand on this with a few more labels, and may even extend these semantic labels to the version field that issues are filed against in the future.
UTF8MB4 support
As mentioned in last month's update, we've updated the Drupal.org and the sub-sites to support the UTF8MB4 extended character set. While the changes for the sub-sites were deployed in May, we finished up by adding support to Drupal.org itself in June. Among other things, this means that Drupal.org will no longer throw errors if emoji are used in content. 😄
Updating our membership CRM
Drupal Association Membership is managed using the CiviCRM platform - and in June we spent a bit of time updating to the latest version and troubleshooting some issues around receipting and renewals. Members can check their current membership status on the membership page. If you're not yet a member or you need to renew, check out our membership certificate offer.
Performance improvements
To increase performance on Drupal.org we've updated to the latest version of the Advanced Aggregator module (special thanks to u/mikeytown2). The latest updated includes aggregation of font from the Google fonts api, which should make a material difference in Drupal.org page render times.
Better spam moderation tools
A recent surge of spam attacks targeting Drupal.org has lead us to take another pass at updating our spam moderation tools. Spammers continue with a never ending escalation of tactics, and so we are constantly evolving our tools for managing spam. We've implemented some rate limiting protections as well as some new moderation views that will make it easier for us to bulk moderate spam. We'll be continuing with some of this work into July so that we can keep Drupal.org's home free from spam and productive.
Infrastructure
Infrastructure partner selected
In March we kicked off an RFP process to find a Managed Infrastructure Services vendor to partner with us to help maintain and improve the Drupal.org infrastructure. In June we reached a decision and have selected Tag1 Consulting as our partner. We're now working with Tag1 to audit our current infrastructure, policies, as well as monitoring and alerting systems as we kick off this relationship. Tag1 brings a tremendous amount of experience in Drupal infrastructure management as well as making Drupal performant at scale - and we're grateful to have them on board. With a partner on board to help us manage our infrastructure our internal team will focus on features and issues that support our mission.
———
As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particu[...]

I recently shared the community needs and potential strategies for evolving community governance, which resulted from the Community Discussions we held in person and online throughout April and May. You can find the webinar recording and written transcript, as well as the meeting minutes from all Community Discussions, at https://www.drupal.org/community/discussions.

Many community members who participated in these discussions agreed that the next step to take in this process is to hold a Community Governance Summit. However, we are not yet clear on where and when this event should take place, who should participate, and several other important details. I worked with community members to develop this survey so we can answer those questions.

Please take 5 minutes to take this community survey and tell us your thoughts about the Community Governance Summit. This survey will remain open until 11:59pm EDT on July 28, 2017. We will analyze the findings and report back on what we learned in a follow-up blog post by Friday, August 4.

On 28 June, 2017, the Drupal Association Board held the second of four annual public meetings. It was a full meeting where staff provided operational updates and gained some strategic direction from board members on how to proceed in various areas. Some highlights included:

Summary of DrupalCon Baltimore’s performance and impact.

Progress on securing future DrupalCon locations.

Discussion on how to unblock community outreach efforts by making appropriate changes to the Drupal.org privacy policy

Whitney Hess also attended the board meeting to give an update on the Community Discussion work and invited the community to attend her webinar that shared her findings and next steps. You can learn more and watch the recorded webinar here.

Also, Jamie Nau, our “virtual CFO” from Summit CPA attended the meeting to review April 2017 financial statements, which showed that DrupalCon Baltimore exceeded expectations, positioning the Drupal Association for a healthier year, financially. This is encouraging news as we work through our financial turnaround, which started a year ago.

In an effort to be more transparent about board activities, the board chose to use this public forum to vote to approve the January through April 2017 financial statements. April 2017 financial statements showed that April was a successful month primarily due to DrupalCon Baltimore's strong financial performance.

We were pleased to have community members attend and invite you to attend our next board meeting on 27 September, 2017 at noon CEST. It is located in the DrupalCon Vienna convention center and can also be attended via zoom.

Join in the fun during the Drupal Association membership campaign happening now through August 4. We're providing personalized certificates of membership to individual and organization members who join or renew during the campaign and we need your help spreading the word.

The campaign has two goals: help us deliver 500 certificates and raise $18,250 during July 10-August 4. By sharing and encouraging Drupal users and people in the community to join us, you'll help us meet these goals. If we are told by 5 or more members that you referred them to us during this campaign, we'll thank you on social media.

Grab words and graphics from this post and share away. If you are a member who would like your own certificate let us know and we'll send one your way. Post your selfie or hang your certificate on the wall. Thanks for sharing!

Last week, we shared the high-level findings from our recent Community Discussions. Today, Whitney Hess hosted a webinar to explain those findings in depth, along with proposals from the community on how to evolve community governance.

We encourage you to watch the video and post your questions in the comment section here. If you have comments but wish to remain private, Whitney asks you to email her directly at whitney@whitneyhess.com.

Over the last few years, many of us have seen the need to evolve community governance. Up until now, we had to focus on other priorities, but now is the time to address our needs for community governance especially in light of recent community events.

Our project has matured greatly and participation has expanded from developers and site builders to also include more content editors, designers, and marketing managers who work not only as freelancers or at Drupal shops, but also for large digital agencies or system integrators. We want all community members to be included in these community discussions so the redefined community governance serves everyone. This is an exciting time to create an even healthier future for our ever-growing community.

The Drupal Association is committed to staying in a support role as the community determines how to best evolve community governance to support everyone’s needs. We started helping by hosting Community Discussions that were mediated by Whitney Hess. There were 7 sessions at DrupalCon Baltimore and 7 virtual sessions between April and May. You can find the meeting minutes here.

The Community Discussions surfaced several common needs and identified several strategies for addressing those needs.

The most commonly shared needs of the community are (in order of frequency):

Awareness

Participation

Transparency

Clarity

Contribution

Healing

Trust

Understanding

Communication

Connection

Empowerment

Process

Progress

Strategies to address those needs ranged from clarifying the responsibilities and boundaries of the leadership roles throughout the Drupal project, determining how and where to communicate community decisions, improving processes for community management, and providing easier access to documentation about leadership roles and clearly communicating what is expected of Drupal community members.

In terms of next steps, the participants were in agreement that we need to come together in a Governance Summit to start architecting improvements to today’s governance structure. However, the community did not define the best way to hold this meeting. It is still unclear when and where it should be, and who should participate and facilitate. We will send out a community survey next to get input from you to answer these questions.

Attend The Webinar

We invite to you attend a webinar on July 6 at 11 am ET / 1600 BST / 8:30 pm IST hosted by Whitney Hess. Whitney will review the findings from our Community Discussions in more detail. We will record the video and share it with you afterwards, along with a written transcript.

Surrounding Drupal is a thriving global business ecosystem and thanks to collaboration with One Shoe and Exove, we’ve created an annual survey that gives insight into its health, focus, and needs. Businesses benefit by learning from their peers and seeing Drupal’s business trends. This survey also helps the Drupal Association find new ways to help support this community. Analysis of the 2016 edition of the survey can be found here.

We encourage all business leaders to take this year’s Drupal Business Survey.

The survey aims to provide a picture of the current Drupal Business landscape, including the health of Drupal companies, obstacles and enablers for Drupal’s business success and D8 adoption.

Participation is completely anonymous and takes fewer than 10 minutes. The first results will be presented at the Drupal CEO Dinner at DrupalCon Vienna on Wednesday, September 27th, 2017. Analysis and insights will officially be published on Drupal.org and in Drupal Watchdog Magazine.

Participate!

Drupal 8.3.4 and Drupal 7.56 are maintenance releases which contain fixes for security vulnerabilities.
Download Drupal 8.3.4
Download Drupal 7.56
Updating your existing Drupal 8 and 7 sites is strongly recommended (see instructions for Drupal 8 and for Drupal 7). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.4 release notes and the 7.56 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.
Advisory ID: DRUPAL-SA-CORE-2017-003
Project: Drupal core
Version: 7.x, 8.x
Date: 2017-June-21
Multiple vulnerabilities
Description
PECL YAML parser unsafe object handling - Critical - Drupal 8 - CVE-2017-6920
PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution.
File REST resource does not properly validate - Less Critical - Drupal 8 - CVE-2017-6921
The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.
Files uploaded by anonymous users into a private file system can be accessed by other anonymous users - Moderately Critical - Drupal 7 and Drupal 8 - CVE-2017-6922
Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.
The security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.
Versions affected
Drupal core 7.x versions prior to 7.56
Drupal core 8.x versions prior to 8.3.4
Solution
Install the latest version:
If you use Drupal 7.x, upgrade to Drupal core 7.56
If you use Drupal 8.x, upgrade to Drupal core 8.3.4
Also see the Drupal core project page.
Reported by
PECL YAML parser unsafe object handling
Heine Deelstra of the Drupal Security team
File REST resource does not properly validate
Samuel Mortenson
Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
Greg Knaddison of the Drupal Security team
Mori Sugimoto of the Drupal Security team
iancawthorne
Fixed by
PECL YAML parser unsafe object handling
xjm of the Drupal Security team
Alex Pott of the Drupal Security team
Peter Wolanin of the Drupal Security team
File REST resource does not properly validate
Samuel Mortenson
Wim Leers
Alex Pott of the Drupal Security team
xjm of the Drupal Security team
Sascha Grossenbacher
Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
David Rothstein of the Drupal Security team
Peter Wolanin of the Drupal Security team
Michael Hess of the Drupal Security team
xjm of the Drupal Security team
Chris McCafferty of the Drupal Security team
Lee Rowlands of the Drupal Security team
Alex Pott of the Drupal Security team
Nathaniel Catchpole of the Drupal Security team
Stefan Ruijsenaars of the Drupal Security team
Nate Haug
Gareth Goodwin
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the conta[...]

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
After returning from DrupalCon Baltimore at the end of April, we spent May regrouping and focusing on spring cleaning tasks. It's important for any technical team to spend time on stability and maintenance, and we used May to find improvements in these areas and look for some other efficiencies.
Drupal.org updates
🎉 UTF8MB4 Support
Support for the UTF8MB4 character set has been a long outstanding issue for Drupal.org and the sub-sites. This expanded character set supports supplementary characters outside of the basic unicode multilingual character plane, including symbols and emoji.
Previously the use of any of these characters on Drupal.org would result in an error. This extended support has been rolled out to Drupal.org and all of the sub-sites except Groups, our legacy Drupal 6 site on LTS.
Protecting Localize.Drupal.org from Spam
After a spike in spam form submissions was reported (thanks Gábor!) we enabled form protection on Localize.drupal.org. Hopefully this will keep our many translation volunteers focused on the hard work of localizing Drupal, instead of on spam fighting. The techniques that spammers use to bypass protections continue to escalate, so we'll be continuing to evaluate new ways to fight spam as time goes on.
Infrastructure
Stability and Maintenance
We spent a portion of our time in May focused on some basic infrastructure issues. One of the Drupal.org production webnodes experienced a filesystem and networking issue and had to be removed from the rotation. We performed some forensics to identify the cause of the issue, and then rebuilt the virtual machine and put it back into rotation.
We also spent some time updating the remote access configuration with our data center, to make remote troubleshooting easier and more efficient for our internal team.
Finally, we performed an audit and inventory of our owned hardware. This helped us to identify underutilized resources that we could re-purpose, and will help us more quickly on-board our new managed infrastructure services partner at the conclusion of our RFP process.
Infrastructure RFP
The deadline for responses to our Managed Infrastructure Services RFP was Monday May 8th. Once we'd received proposals from all participating vendors, we began our process to review those proposals internally and schedule interviews with the vendors. As we move into June this RFP process is wrapping up, and we will be announcing the results of the RFP soon.
DrupalCI
General Updates
One of the primary features of DrupalCI is that it allows developers to test against a variety of environments. To make sure that we're more easily able to keep up with the latest PHP patch releases (e.g: 7.0.x/7.1.x/5.6.x), the PHP environment containers are now rebuilt nightly.
Coding standards test results were added in April, and to make it easier for developers to see where the code standards issues appear within the code base, we're now linking the standards results to CGIT.
More efficient test result saving
Since we began parsing DrupalCI test results onto Drupal.org we pretty rapidly reached more than 100,000,000 database rows of test results, taking up more than 100G of database space. To make offering this service more sustainable, we've implemented changes to how we store test result data. Instead of storing complete results for each test, we now only store the diff between the current test and the last test. This has resulted in a dramatic reduction in the amount of space consumed.
Re-purposing owned hardware for bots
DrupalCI is also the most expensive single service that the Drupal Association provides to the community. In addition to the labor cost[...]

This guest blog post is from Drupal Moldova's Association (not affiliated with Drupal Association). Get a glimpse of what is happening in Moldova's community and how you can get involved.
Drupal Moldova Association’s mission is to promote Drupal CMS and Open Source technologies in Moldova, and to grow and sustain the local community by organising Events, Camps, Schools, Drupal meetups and various Drupal and Open Source related trainings, and by establishing partnerships with Companies, the Government, and NGO’s.
Come and share your expertise in Moldova at our events! We're looking for international speakers to speak about Drupal and open source.
Among DMA’s (short for Drupal Moldova Association) numerous commitments, the following are of special importance:
to gather the community around Drupal and Open Source technologies;
to train students and professionals who want to learn and work with Drupal;
to organise events to keep the community engaged and motivated to improve, learn, and share experience;
to make sure Drupal is accessible to everyone by offering scholarships to those who can't afford our programs;
to elaborate a well defined program that helps students learn Drupal, acquire enough knowledge to get accepted for internships by IT companies, and be able to build Drupal powered websites;
to assist new IT companies in establishing a local office, promote themselves, collaborate with other companies, and connect with the local Drupal community by giving them the opportunity to support our projects.
Over the last 5 years, we have been dedicated to achieving our goals! DMA have organized over 20 projects and events, including Drupal Global Training Days, Drupal Schools, and the regional DrupalCamp -- Moldcamp. Our projects have gathered over 700 local and international participants and speakers, and more than 15 International Companies that have supported us during these years (FFW, Adyax, IP Group, Intellix, Endava and many others).
Moldova is rich in great developers and people driven to take initiative and to grow and place the country on the world map. We are aiming to go beyond our limits and have a bigger impact in the year (‘17-’18), therefore we have created a yearly plan that contains projects similar to those we have done in the past years, as well as new and exciting ones:
Drupal School (3 step program), starting with Drupal School 8 plus PHP (step 1): Drupal School is an educational program - split into 2 months, 25 courses of different levels (Beginner, Intermediate, Advanced).Drupal School aims to introduce people to Drupal 8 and PHP, and help them become Drupal professionals;
Moldcamp 2017: Sep - Oct 2017. A regional DrupalCamp that gathers around 150 Drupal professionals, enthusiasts, beginners and any-Drupal-related-folk in one place for knowledge-sharing, presentations, networking, etc. We will announce the event soon and allow speaker registration. Please follow us and don’t miss out on the opportunity;
Drupal Global Training Day: Dec 1-2. A one-day workshop that has the purpose of introducing people to Drupal, both code and community.
Drupal Meetups: These are organized each month and they allow our community to be active and share knowledge.
Tech Pizza: - Jun, Aug, Oct, Dec. A bi-monthly event, where the ICT community can gather in a casual and an informal environment around a pizza and soda and discuss the latest IT trends and news. The core of this event is a speaker / invitee from abroad with a domain of expertise;
Moldova Open Source Conference: March 2018. It is a regional conference for over 200 participants that aims to gather all the Open Source Communities (Wordpress, Laravel, Ruby on Rails, JavaScript, etc.) under one roof, where they will attend[...]

Remember how we are making changes to DrupalCon Europe? These were hard decisions and some things we love we found just weren’t financially viable. Like free t-shirts. But one thing we heard a lot was “please don’t take away the t-shirts!”

We heard you. And while it doesn’t make financial sense to give free t-shirts to all attendees, we still want to be able to continue to offer them. So we’ve come up with a plan.

At DrupalCon Vienna, t-shirts will be offered to the following groups:

Individual Drupal Association members who register for DrupalCon Vienna between 5 - 16 June 2017. You must register in this two week window AND be an individual member of the Drupal Association.

Volunteers who work at least four (4) hours onsite in Vienna 26 - 29 September. You must check the volunteer box during registration and must show up on site to volunteer for four (4) hours or until released by event staff.

Volunteers as part of the DrupalCon Program Team

Sprint Mentors

The fine print FAQ

I’m already a member, how do I make sure that I'll get a shirt?

If you are already an individual member, you get a t-shirt! BUT you MUST register in the first two weeks of ticket sales. Registrations after 16 June will not receive a t-shirt, member or not.

I’m not a member, can I do that during registration and still get a shirt?

Yes. If you are not a member you can become an individual member during your conference registration. You will be presented with a page during check-out that gives you the option to become a member.

I already registered but JUST saw this post! What do I do?

If you are a true early bird and register in the two weeks, but somehow missed this news post until after registering - that’s ok. As long as you become a member before the end of 16 June and you’ll still get a t-shirt.

After the 16 June cut-off date, eligible registrants will receive an email confirming their t-shirt along with a link to select their t-shirt size.

You got a session selected? Great!

We’ll refund your registration amount (but not your membership) and you get to keep the t-shirt. Our regular no-refund policy applies to all other sales.

You’re part of an organization that is buying a bulk amount of tickets for employees? Lucky you.

Your organization should provide you with an individual redemption code. You’ll need to redeem your individual registration before 16 June AND also be an individual member of the Drupal Association in order to get a t-shirt.

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
At the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the public board meeting, and hosted a panel detailing the last 6 months worth of changes on Drupal.org. If you weren't able to join us for this con, we hope to see you in Vienna!
Drupal.org updates
DrupalCon Vienna Full Site Launched!
Speaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can book your hotel now, or submit a session. Registration for the event will be opening soon!
DrupalCon Nashville Announced with new DrupalCon Brand
Each year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the closing session we unveiled the next location for DrupalCon North America - Nashville, TN taking place from April 9-13th in 2018. But this year there was an extra surprise.
We've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event.
Starring Projects
Users on Drupal.org may now star their favorite projects - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results.
At the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox.
Project Browsing Improvements
One of the important functions of Drupal.org is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery.
Search is now weighted by project usage so the most widely used modules for a given search phrase will be more likely to be the top result.
We've also added a filter to the project browsing pages to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development.
Better visual separation of Documentation Guide description and contents
In response to user feedback, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides.
Promoting hosting listings on the Download & Extend page
To leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting our hosting listings on the Download and Extend page. We want Drupal.org to provide every Drupal evaluator with all of the tools they need to achieve success—from the code itself, to professional services, to hosting, and more.
Composer
Sub-tree splits of Drupal are now available
For developers using Composer to manage the[...]

Discover > Plan > Build > Iterate
There comes a time when we must all recognize that what got us here won't get us there. Now is that time for Drupal. The governance models that were put in place to support the needs of the community years ago are no longer working as well as they should. The Drupal community has reached a level of maturity that requires greater clarity, integrity, and resilience.
An effort is underway to evolve Drupal’s community governance. The Drupal community is in the driver’s seat. The Drupal Association is helping navigate and get the community where it wants to go by providing the structure, support, and resources that are desperately needed to make progress. I, Whitney Hess, have been engaged to be a neutral facilitator of this process.
We are proposing a multi-phase approach to redesign Drupal’s community governance models, management, and decision-making practices: Discover > Plan > Build > Iterate. In this first phase, our goal is to gain a deeper understanding of the needs of the Drupal community. We are conducting this research through a variety of methods: one-on-one interviews with select individuals; mediated group discussions; surveys and feedback forms.
We held seven hour-long Community Discussions over three days of DrupalCon. There were 6-10 participants per session. Though every session had its own energy and topics varied, all discussions were fruitful and impactful. Many participants said they left feeling better than when they arrived.
While there was some discussion about recent events in the sessions, the focus quickly shifted to brainstorming ideas for how to improve Drupal’s community governance. As mediator, it is my role to help people articulate their needs, and to support the community in devising strategies to better get those needs met. Please read the meeting summaries if you would like to get a sense of what was discussed.
There are currently seven online sessions scheduled over the next two weeks at a variety of times for the global community to participate in these facilitated discussions, and more will be scheduled if needed. If you want your voice heard, I strongly encourage you to join us. If you have questions or concerns about the sessions, you’re welcome to contact me directly at whitney@whitneyhess.com.
Once these sessions are completed, we will be conducting a short survey and other types of feedback forms to have the widest possible reach. We want to ensure that people have a variety of ways to constructively contribute to making Drupal the best it can be. We expect to launch these in late-May.
At the conclusion of the Discovery phase, we will move into Planning. We are at the earliest stages of conceiving a Governance Summit over 1-2 days in June to take all of the learnings from Discovery, and craft a strategy for specifically how to change Drupal’s community management and governance. As of today, we do not yet have dates, location, or participant information. We are waiting to see what comes out of Discovery before we devise any framework for how this can be achieved effectively and equitably. Again, the Drupal Association’s role here is to be a support, and to create space for the community to decide how it wants its governance to change.
I have very clearly heard a need for greater transparency into this process and how decisions are being made. I take that responsibility seriously, and will continue to share our progress along the way. Next up, please look out for a summary of our Discovery findings, to be shared in late-May/early-June.
With gratitude,
Whitney[...]

TL;DR: Both the community and Dries Buytaert, Project Lead, see a need to evolve Drupal community governance. The Drupal Association can help in a support role. We will start by hosting mediated community discussions so everyone around the world can participate, be heard and understood, and share their ideas. Creating a new governance model will take many months and will require an agile approach as we all feel our way through the proper steps. The Drupal Association will continue to find ways to support this process as we all move through it together.
-------------
Over the last several weeks, the Drupal Association has been in listening mode — and we still are. We’re hearing community members say they need clarity and understanding, and that our community governance needs to change. As we process what we’re hearing, we want to find the best way to help the community address the issues being raised, within the boundaries of the Drupal Association charter.
The Drupal Association’s mission is to unite the global community to help build and promote the software. We do that in two very specific ways: DrupalCon and Drupal.org. We’re determining how best to meet the community’s needs as it relates to these two key community homes. In the near future, I will publish blogs with ideas on how we might address the various needs we are hearing.
Evolving Community Governance
There is one need that we hear loud and clear that we can address today: The community needs support to evolve community governance structures and processes. Both the community at large, and Dries Buytaert, Project Lead, have expressed this need, and we are glad to see this alignment.
It’s important to note that the Drupal Association has a very limited role in community governance. Our only role in governance stems directly from our charter to manage DrupalCon and Drupal.org.
It’s not within our charter to oversee community governance or drive its evolution. The last thing the Drupal Association wants is to step outside of our charter or accidentally take away the community’s agency in self-organizing to create the new community governance model. However, we do want to facilitate forward movement. And so, we can take a support role.
We hear that many in the community want to come together to talk. We can support this by providing a meeting place (both in person and online), and a mediator for community discussions.
We have asked Whitney Hess, a coach who has worked with the Drupal community before, to facilitate and mediate community discussions, where people can come together to talk about current community issues and explore ideas for improved governance. These discussions will start at DrupalCon Baltimore and continue in a series of online meetings, scheduled at different times so members around the world can participate. [see more details below]
To provide transparency for those who cannot attend the discussion sessions, we will post meeting minutes and summaries from each community discussion here: https://drupal.org/community/discussions.
As facilitator of these community discussions, Whitney Hess will provide a summary to give us a broad perspective on the “voice of the community.” We hope these conversations will ground the community as it begins architecting its new governance model.
Once we have had these discussions we can decide together on the appropriate next steps, and how the Association can help the community continue to move forward, together.
Join Community Discussions
We hope you'll join the conversation as these discussions begin. Again, our overarching aim is to support the community so it can be healthy and cont[...]

Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

The site has the RESTful Web Services (rest) module enabled.

The site allows PATCH requests.

An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months.
Drupal.org updates
Project application revamp
As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases! Contributors no longer have to wait in the project application queue for a manual review before they are able to contribute projects.
This is a very significant change in the Drupal contribution landscape, and it's something we approached carefully and will continue to monitor over the coming months. Drupal has always had a reputation for a high quality code, and we want to make sure that reputation is preserved with good security signals, project quality signals, and continued incentives for peer code review.
That said, we're very excited to see how this change opens up Drupal to a wider audience of contributors.
Please note that the removal of project applications to create full projects and releases means a change in the security advisory policy (see below for details).
Security Advisory Opt-in and new Security Signals for Projects
Are you responsible for the security of your clients' Drupal sites?
Please note that Drupal's security advisory coverage policy has changed. Security advisory coverage for contributed projects is now only available for projects that have both opted in to receive coverage and made a stable release. You can see which projects have opted in by checking their project pages. If you have questions, please contact security@drupal.org.
Because users may now create full projects and releases without opting in to security advisory coverage, it's critically important that we provide good security signals to users evaluating projects on Drupal.org. This is why we've added a security coverage warning to projects that aren't opted in to coverage.
We've also:
Opened up the opt-in process, allowing any maintainer of a project (not just the node author) to opt in to receive security advisory coverage
Added a confirmation step when a user goes to make a stable release - this encourages users to be sure the project is ready for a release, and to opt-in to coverage if they haven't already
Blocked security advisory opt-in if a project has an open, public security issue
Started displaying info about public security issues on project pages that haven't opted into advisory coverage
Added a filter to project browsing pages to make it easier to find projects with supported stable releases
2017 Community Elections Update
The 2017 elections for the community-at-large seat on the board were held successfully in March. Drupal Association community board elections are conducted with the Instant Runoff Voting system. This voting methodology requires that voters rank their preferred candidates on their ballot, and we've heard that this system has been somewhat unwieldy in the past.
Each year we try to improve the voter experience and so this year we deployed a new drag-and-drop ballot.
Finally, we want to congratulate our newest board member Ryan Szrama!
Better international datetime support throughout Drupal.org
Drupal.org has grown organically over the course of more than a decade, and as features have been built out they were not always consistent in their display of datetime information. While it sometimes makes sense to have a few different formats [...]

Description

There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, we will provide an 8.2.x release that includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.

This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement on April 19th 2017 will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.

In October of last year the Technical Advisory Committee was formed to evaluate options for the developer tools we use on Drupal.org. The TAC consists of Angie Byron, Moshe Weitzman, and Steve Francia, acting as advisors to Megan Sanicki, the Executive Director of the Drupal Association.
The TAC's mandate is to recommend a direction for the future of our tools on Drupal.org. Megan will evaluate this recommendation, make a decision, and prioritize that work in the development roadmap of the Drupal Association engineering team.
What is the motivation behind looking at our developer tools now?
Close followers of the Drupal project will have noticed a trend in the last several months. From Dries' announcement of easy upgrades forever, to the revamp of the project application process, to the discussion about making tools for site builders— there is a unifying theme: broadening the reach of Drupal.
This is the same motivation that underlies this evaluation of our developer tools, and defines the goals and constraints of this initiative:
Adopt a developer workflow that will be familiar to the millions of developers outside our community
Preserve those unique elements of how we collaborate that have made the Drupal project so successful
If possible, leverage an expert partner who will help keeping our tooling up to date as open source collaboration tools continue to evolve
This means looking at a number of elements of the Drupal.org developer tool stack:
The underlying git service
How we tag and package releases
The contribution workflow (patch vs. pull request)
Project management workflows (the issue queues and tags)
CI integration
Maintainership
Project pages
If this looks like a tremendous undertaking - that's because it is. But there are some things we already know:
Drupal.org should continue to be the home of project pages
We should adopt a pull request workflow (and ideally we want to be able continue to accept patches as well, at least in the interim)
We should move contrib projects to semver, following core's lead
We want to preserve our familiar understanding of maintainership
We want to avoid forked code and forked conversation
We want to ensure the security team still has the tools they need to provide their service to the community
We also know that whatever decision is made, these changes cannot happen all at once. We'll need to take a progressive approach to the implementation, and focus on the parts of the stack that need to change together, so that we don't bite off more than we can chew.
What options are being considered?
At this time, the technical advisory committee is considering three options as they prepare to make their recommendation. The options are: GitLab, which offers both self-hosted and SaaS options; GitHub, which has recently been adding long-requested new features; or continuing to evolve our custom-built tooling, perhaps via issue workspaces.
GitLab
GitLab is the up-and-comer among Git hosts. GitLab can be self hosted using either their community or enterprise editions, or repositories can be hosted at GitLab.com. Though they recently stumbled, they have been notably open and transparent about their efforts to build a leading collaboration platform.
Gitlab is itself open-source, and has just released its 9.0 edition. GitLab has aggressively pursued the latest in development tools and workflow features, including project management tools, a ui for merge conflict resolution with in-line commenting and cherry-picking, docker registries for projects, integration with CI tools, and even Gi[...]

Drupal 8.3.0, the third minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility.
Update: Drupal 8.3.1 is available and fixes a security vulnerability. You should update directly to 8.3.1 instead of 8.3.0.
What's new in Drupal 8.3.0?
This new version includes improvements to authoring experience, site administration, REST support, and a stable version of the BigPipe module. It also includes new experimental modules to abstract workflow functionality, to lay out content types differently (e.g. articles are two column vs. press releases are three column), and to provide a general layout API for contributed modules. Many smaller improvements for the experimental Content Moderation module are included as well. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.)
Download Drupal 8.3.1
New and improved content authoring
Drupal 8.3 ships with the updated CKEditor 4.6, which contains a host of improvements, including better paste from Word, and a new default skin that better matches Drupal's Seven administration theme. We've also added the AutoGrow plugin, to better utilize larger screen sizes.
Quick editing images now supports drag and drop.
Site building and administrative improvements
Drupal 8.3 ships with a redesigned admin status report, to better surface important status messages for your site.
Other incremental enhancements include:
The Views listing page is now standardized with other administrative listings.
The "Allowed HTML tags" input has been converted to a textarea, which significantly improves the usability of HTML filter configuration (and thereby makes it easier to configure filters securely.)
The Content and People overview pages' Views filters have been rearranged to match the column order of the listing, for more intuitive filtering.
Image fields are now limited to only accepting images, so that users on mobile clients are not offered a confusing and non-functional video upload option.
BigPipe for perceived performance
The Drupal 8 BigPipe module (now stable!) provides an advanced implementation of Facebook's BigPipe page rendering strategy, leading to greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. See the BigPipe documentation.
allowfullscreen="" frameborder="0" height="329" src="https://www.youtube.com/embed/JwzX0Qv6u3A?rel=0" width="585">
The core BigPipe improvements introduced in 8.3.0 are also utilized by the Sessionless BigPipe contributed module to use the same technique for serving the first (yet uncached) response to anonymous visitors.
Platform features for web services
Drupal 8.3 continues to expand Drupal's support for web services that benefit decoupled sites and applications, with bug fixes, improved responses, and new features. It is now possible to register users from the REST API, 403 responses now return a reason why access was denied, for greatly improved developer experience, and anonymous REST API performance has been increased by 60% when utilizing the internal page cache. The REST API also got a massive overhaul of its test coverage.
Experimental: Choose different form and view display layouts for your entity types
The new experimental Field Layout module provides the ability for site builders to rearra[...]

A new statement on this topic was posted on July 14, 2017 and can be found here.
This is a joint statement from project lead Dries Buytaert and Megan Sanicki, Drupal Association Executive Director.
Over the last week, the Drupal community has been in a debate over the various decisions made by us in relation to long-time Drupal developer Larry Garfield. As with any such decisions, and especially due to the circumstances of this one, there has been controversy, misinformation and rumors, as well as healthy conversation and debate. Many people feel hurt, worried, and confused. The fact that this matter became very public and divisive greatly saddens all of us involved, especially as we can see the pain it has caused many.
First off, we want to apologize for not responding sooner. We had to take a pause to process the community’s reaction. We also wanted to take the time to talk to community members to make sure all of the concerns were heard and understood. This was further complicated by the fact that we don't have a playbook for how to respond in unusual situations like this. We also want to acknowledge that our communication has not been as clear as it should be on this matter, and we are sorry for the added confusion.
We want to thank all of the community members who stepped in to help. Many spent days helping other community members by listening, hosting discussions to foster healthy, respectful conversations, and more. You have helped many people and your caring acts reminded us once again why we love to serve the community and why it is so special.
Over the last week, we talked to many people and read hundreds of posts in various channels. These are some of the things that we heard:
People are afraid that they will be asked to leave the community because of their beliefs or sexual lifestyles.
There are concerns about Drupal leadership playing "thought police" on what are and are not acceptable viewpoints to hold.
People want to hear more about the timeline, information gathered, and how decisions were made.
People don't understand why there weren’t any ramifications for those who participated in gathering information about Larry's private life.
People believe Dries has too much authority.
People believe that a decision this complex should not be made by a single individual.
And we heard much more.
We know this has been difficult for all involved. There is no quick solution to the current situation; it will take time to heal, but we want to make a start today by providing better insight into our decision-making process, answering questions with the FAQ found below, and by placing a call for improvements in our governance, conflict-resolution processes, and communication.
Addressing community questions and concerns
One of the main concerns that has been voiced is that a long-standing member of the Drupal community was removed, based solely on his beliefs being outside the "norm". We feel this is not representative of the situation.
We want to strongly emphasize that Drupal is an open-minded and inclusive community, and we welcome people of all backgrounds. Our community’s diversity is something to cherish and celebrate as well as protect. We apologize for any anxiety we caused you and reiterate that our decision was not based on anyone’s sexual practices.
Dries and Megan based their decisions on information from a variety of sources, including the Community Working Group and Larry himself. This information included:
(a) repor[...]

A new statement on this topic was posted on July 14, 2017 and can be found here.

We understand that there is uncertainty and concern in the Drupal community about project founder, Dries Buytaert, asking Larry Garfield to leave the Drupal community, and about the Drupal Association removing Larry's DrupalCon sessions and ending his term as track chair.

We want to be clear that the decision to remove Larry's DrupalCon session and track chair role was not because of his private life or personal beliefs. The Drupal Association stands by our values of inclusivity. Our decision was based on confidential information conveyed in private by many sources. Due to the confidential nature of the situation we cannot and will not disclose any information that may harm any members of our community, including Larry.

This decision followed our established process. As the Executive Director, charged with safekeeping the goodwill of the organization, I made this decision after considering input from various sources including the Community Working Group (CWG) and Drupal Project Lead, Dries Buytaert. Upon Larry’s request for an appeal, the full board reviewed the situation, all the evidence, and statements provided by Larry. After reviewing the entirety of the information available (including information not in the public view) the decision was upheld.

In order to protect everyone involved we cannot comment more, and trust that the community will be understanding.

We do see that there are many feelings and questions around this DrupalCon decision and we empathize with those community members. We will continue to monitor comments. We are listening.

Update: 29 Mar 2017

Thank you for taking the time to share your thoughts, concerns, and questions. I wanted to reach back out and reaffirm that we are listening. In addition to watching the comments here, we are also listening in other places like the Drupal community Slack, IRC, and the community blog posts that have come to our attention. Your comments are being heard and they are helping us to be thoughtful about our next steps.

This case study was written as a collaboration between Drupal Association staff and Technology Supporting Partner Distil Networks.
Drupal.org is the home of one of the largest open source communities in the world. We've been online for more than 13 years and collectively we build the Drupal software, provide support, write documentation, share networking opportunities, and more. The open source spirit pushes the Drupal project forward, and new members are always welcome. It falls to us to maintain our community home and preserve the welcoming atmosphere that leads people to say,"Come for the code, stay for the community."
As stewards of Drupal.org, it's our responsibility to give the community a voice and welcome everyone who wants to participate in the project. At the same time, there are bad actors who would take advantage of our open community and platform for abusive purposes.
Drupal.org long-standing presence on the web has given it authority in the eyes of search engines. The site hosts millions of pages of content - all generated by our users. This combination of authority and open access for users to create content makes us a very high value target for phishers and spammers.
Spam is a nuisance to our existing community, devalues our project to the newcomers we are hoping to welcome, and left unchecked could degrade our search presence.
Challenges
Spammers create bogus accounts to post their junk content
Only registered members can post content to the Drupal.org website, so there's a continuous onslaught of actors attempting to create accounts for the purpose of inserting link spam and other bad content onto the site. In the past, we've implemented a variety of strategies such as content analysis, behavioral analysis, social moderation, and rate limiting. And while these measures have been effective at reducing some of the spam we've seen, the onslaught continues.
The reason for that? Much of our attempted spam is not coming from bots. These are real people using tools to cloak their identity and manually creating accounts en masse. In many cases they may not even post junk content immediately. They will often sit on "sleeper" accounts waiting to be paid by somebody to promote malicious content.
It's too time consuming to manually remove spam content
Spam fighting is also a thankless task. All time spent fighting spam, whether by members of the engineering staff or our incredibly dedicated community volunteers, is time not spent on the project. Spam fighting has an opportunity cost that creates burn-out among staff and volunteers, and is not something we can afford to leave to manual moderation.
Especially when it comes to our community volunteers– they want to spend their time helping people with Drupal technical questions, not deleting spam.
Fake accounts and spam pollute the community engagement metrics
There are 1.9 million user accounts in the Drupal.org database, but using this data to measure community engagement is challenging because of the number of spammer accounts that have been registered over the years. When we have to work around so many illegitimate accounts, it's difficult to determine metrics for community health such as if our legitimate user growth is increasing or decreasing. We need cleaner user account data to give us more reliable community metrics, and help us make informed decisions.
The Solution
Before reaching out to Distil Networks, Dru[...]

Any user on Drupal.org who has accepted our Git usage policy may now create full projects with releases. This is a big change in policy for the Drupal project, representing an evolution of the contribution ecosystem in the past half a decade.
What was the Project Application Process?
Ever since the days when Drupal's code was hosted in CVS there has been some form of project application process in the Drupal Community. To prevent duplicate, low-quality, insecure, or otherwise undesirable projects from flooding Drupal, users would submit sandbox projects to an application queue to be reviewed by a group of volunteers.
After resolving any issues raised in this review process, the user would be given the git vetted role, allowing them to promote their sandbox to a full project, claim a namespace, and create releases. Once a user had been vetted for their first project, they would remain vetted and be able to promote any future projects on their own, without submitting an additional application.
The Problem
Unfortunately, though the project application process was created with the best of intentions, in the long term it proved not to be sustainable. Drupal grew too fast for a group of volunteer reviewers to keep up with reviewing new projects, and at times there were applications waiting in queue for 6 months to 1 year, or even more. That is much too slow in the world of software development.
This put Drupal in a difficult situation. After years of subjecting new projects and contributors to a rigorous standard of peer review, Drupal has a well-deserved reputation for code quality and security. Unlike many open source projects, we largely avoided the problem of having many duplicate modules that exist to serve the same purpose. We unified our community’s effort, and kept up a culture of collaboration and peer review. At the same time, many would-be contributors were unable or unwilling to navigate the application process and so simply chose not to contribute.
The question became, how could we preserve the emphasis on quality while at the same time removing the barrier to contribution that the application process had become?
Constraints on a solution
Opening the contribution gates while retaining strong signals about code quality and security was a tricky problem. We established three constraints on a solution:
We need to welcome new contributors, and eliminate the walls that prevent contribution.
We need to continue to send strong signals about security coverage to users evaluating whether to use modules from Drupal.org.
We need to continue our strong emphasis on quality and collaboration through changes to project discovery that will provide new signals about code quality, and by providing incentives and credit for peer review.
The Solution
In collaboration with the community, the security team, members of the board, and staff we outlined a solution in four phases:
Phase 1: Send strong signals about security advisory coverage.
We updated project pages to include messaging and a shield icon to indicate whether a project received security advisory coverage from the security team.
We now serve security advisory coverage information in the Updates status information provided by Drupal.org, and we're working on a patch to display that information directly on the updates page of users' Drupal sites.
Here are some examples of what these security signals look [...]

Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.
Download Drupal 8.2.7
Update your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.
Advisory ID: DRUPAL-SA-CORE-2017-001
Project: Drupal core
Version: 8.x
Date: 2017-March-15
Description
Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377
When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.
Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379
Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.
This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed.
You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.
Solution
Update to Drupal 8.2.7
Reported by
Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377
Casey
Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379
Samuel Mortenson
Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381
Timo Hilsdorf
Fixed by
Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377
László Csécsy
Wim Leers
Alex Pott of the Drupal Security Team
Klaus Purer of the Drupal Security Team
Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379
Samuel Mortenson
Sascha Grossenbacher
Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - CVE-2017-6381
Klaus Purer Of the Drupal Security Team
Mixologic
Updates
Updated the above text to link to the correct update directions.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
[...]

Republished from buytaert.net, please post your comments there.
One of the key reasons that Drupal has been successful is because we always made big, forward-looking changes. As a result, Drupal is one of very few CMSes that has stayed relevant for 15+ years. The downside is that with every major release of Drupal, we've gone through a lot of pain adjusting to these changes. The learning curve and difficult upgrade path from one major version of Drupal to the next (e.g. from Drupal 7 to Drupal 8) has also held back Drupal's momentum. In an ideal world, we'd be able to innovate fast yet provide a smooth learning curve and upgrade path from Drupal 8 to Drupal 9. We believe we've found a way to do both!
Upgrading from Drupal 8.2 to Drupal 8.3
Before we can talk about the upgrade path to Drupal 9, it's important to understand how we do releases in Drupal 8. With the release of Drupal 8, we moved Drupal core to use a continuous innovation model. Rather than having to wait for years to get new features, users now get sizeable advances in functionality every six months. Furthermore, we committed to providing a smooth upgrade for modules, themes, and distributions from one six-month release to the next.
This new approach is starting to work really well. With the 8.1 and 8.2 updates behind us and 8.3 close to release, we have added some stable improvements like BigPipe and a new status report page, as well as experimental improvements for outside-in, workflows, layouts, and more. We also plan to add important media improvements in 8.4.
Most importantly, upgrading from 8.2 to 8.3 for these new features is not much more complicated than simply updating for a bugfix or security release.
Upgrading from Drupal 8 to Drupal 9
After a lot of discussion among the Drupal core committers and developers, and studying projects like Symfony, we believe that the advantages of Drupal's minor upgrade model (e.g. from Drupal 8.2 to Drupal 8.3) can be translated to major upgrades (e.g. from Drupal 8 to Drupal 9). We see a way to keep innovating while providing a smooth upgrade path and learning curve from Drupal 8 to Drupal 9.
Here is how we will accomplish this: we will continue to introduce new features and backwards-compatible changes in Drupal 8 releases. In the process, we sometimes have to deprecate the old systems. Instead of removing old systems, we will keep them in place and encourage module maintainers to update to the new systems. This means that modules and custom code will continue to work. The more we innovate, the more deprecated code there will be in Drupal 8. Over time, maintaining backwards compatibility will become increasingly complex. Eventually, we will reach a point where we simply have too much deprecated code in Drupal 8. At that point, we will choose to remove the deprecated systems and release that as Drupal 9.
This means that Drupal 9.0 should be almost identical to the last Drupal 8 release, minus the deprecated code. It means that when modules take advantage of the latest Drupal 8 APIs and avoid using deprecated code, they should work on Drupal 9. Updating from Drupal 8's latest version to Drupal 9.0.0 should be as easy as updating between minor versions of Drupal 8. It also means that Drupal 9 gives us a clean slate to start innovating more rapidly again.
Why would you upgrade to Drupal 9 th[...]

Join us at DrupalCon Baltimore from April 24-28 for a week of inspiration, networking, and learning. Meet Drupal experts and industry leaders who will share new ways to create digital experiences that delight customers, citizens, students, patients, and more.

Register today. Prices increase March 24th. Attendees can come for the week or just for a day. Plus, the Baltimore Convention Center is easy to reach - just 30 minutes from Baltimore Washington Airport and 15 minutes from the Amtrak Station.

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
Drupal.org updates
Industry Pages Launched
After a great deal of preparation, user research, and content development we've launched the first three 'Drupal in your Industry' pages. These first three pages highlight the power of Drupal in Media and Publishing, Higher Education, and Government. Each of these pages uses geo-targeted content to reach audiences in: the Americas; Europe, the Middle East, and Africa; and the Asia Pacific, Australia and New Zealand regions.
These pages are targeted at evaluators of Drupal in these specific industries. From our research, we've found that these evaluators typically have Drupal on their short list of technology choices, but are not familiar with how a complete solution is built on Drupal, and they're eager to see success stories from their industry peers.
We'll be expanding on this initiative with additional industry pages as time goes on.
Project Application Revamp
In February we completed phases 1 and 2 of the Project Application Process Revamp. This has meant polishing up the security advisory coverage messages that are provided on project pages, adding a new field for vetted users to opt-in to advisory coverage for their projects, and adding security advisory coverage information to the updates xml served from Drupal.org. With these issues complete we'll be able to move forward with Phase 3 (opening the project promotion gates) and Phase 4 (improving code quality signals and incentivizing peer review) as we roll into March.
[Author's note] The project application revamp hit a major milestone in early March with the completion of Phase 3. Now, any user who has accepted the git terms of service may now promote sandbox projects to full projects with releases, and the application process has been re-purposed for vetting users who want the ability to opt into security advisory coverage for their projects. Look for more information in our upcoming March post.
2017 Community Elections are Live
On February 1 we opened self-nominations for one of the two community-at-large seats on the Drupal Association Board of Directors. At the time of this post, self-nominations have closed and now it's time to vote!.
Each year we make incremental improvements to the elections process. This year we've allowed each candidate to present a short 'statement of candidacy' video - and we've updated the ballot to allow easy drag-and-drop ranking of candidates.
Voting closes on March 18th, so make sure to vote soon!
Documentation polish, and new "call-out" templates
As the migration of content into the new documentation system continues, we've continued to polish and improve the tools. In February we made a few small improvements including: help text for maintainers and fixes for links to the discuss page in email notifications. We also made one large improvement: Call-out templates for highlighting warning information or version-specific notes within a documentation page. These templates are available using the CKEditor Templates button when editing any documentation page.
The documentation editor may select from the 'Warning note' template, which will highlight caution[...]